Filed under: HW hacking

Hacking a Yacom / Orange ARV4518PW router

The spanish Ya.com ADSL connection comes with an ARV4518PW modem/router/access point. It looks like this:

SMC7908A_ISP_v2

Unfortunately, the router configuration forces you to have an ADSL username ending in a domain like @yacomadsl, @orange, or a few other pre-defined domains. This is to prevent you from using the router with another ADSL provider. But, heck! We don’t like these kind of boundaries, let’s tear them down!

Luckily for us, the router web gui does not implement any input validation. Here follows the procedure to input an arbitrary ADSL username.

Settings

  • These are some numbers appearing on the back of the router:
    • Model Name: ARV4518PW
    • HW Version: R01A
    • Astoria networks
    • Production date: 04/2010
  • This applies for firmware version 0.10.016. It could work as well for older firmwares. You can check your firmware version in the Status page.

The Quick way

  1. You may want to reset the router: while it’s turned on, press the reset button for 5 seconds.
  2. Log in the web gui. This is usually http://192.168.2.1 and the default password is admin
  3. From the same computer you logged in, set these variables with proper values (I’m assuming a bash shell):
    IP="192.168.2.1" # Your router web gui IP address
    VPI=8
    VCI=35
    ENCAPSULATION=1 # 1 for LLC, 0 for VC-MUX
    USERNAME="your username"
    PASSWORD="your password"
  4. Run this command:
    wget "http://"$IP"/cgi-bin/qs2.exe" --post-data="ATM_Protocol=4&qISPType=37&ISP_ConnType=0&VC_VPI="$VPI"&VC_VCI="$VCI"&VC_AAL5="$ENCAPSULATION"&ISP_Username="$USERNAME"&ISP_Username_Domain=20&ISP_Password="$PASSWORD"&ISP_Password_Conf="$PASSWORD -O /dev/null
  5. Go to http://192.168.2.1/wait0.stm and check your data, then click on Finish. The router will reboot.
  6. Go to http://192.168.2.1 and log in, click on status to check that everything is working properly. After a bunch of seconds, you should see ADSL: CONNECTED. Cool! You can go through the menu to configure the router. I’d recommend to disable the built-in firewall because it causes problems with P2P traffic.

The classy way (installing OpenWRT)

As you have noticed, this is a tricky workaround. But your router can give you much more! You can install the OpenWRT firmware that lets you do more stuff. Unfortunately, you need to open its case, connect through a serial port and a converter, and upload the firmware. Information about the OpenWRT support of this modem can be found on the OpenWRT Wiki and detailed instructions to install it are here (first post, spanish) and here (spanish).

Explanation / troubleshooting

How did the trick work? Point is, the web gui forces you to set a domain for the username (click on “Setup Wizard”). This is chosen from a drop-down menu. Have a look at the HTML source, the drop-down menu is as follows:

<select name="ISP_Username_Domain">
<option value="0">@orangeadsl </option>
<option value="1">@orange </option>
 .... more domains
<option selected="" value="7">@yacomadsl </option>
</select>

Each domain corresponds to a value (an integer from 0 to 7) the variable ISP_Username_Domain can assume. And a gui that does input validation should check that the value passed by the browser falls in that range. Luckily for us, it doesn’t. So what happens if we pass values like 8, -1, 18, 20? Weird strings, taken from somewhere into the router’s memory, are appended to the username. Of course, if one of this values appends the empty string, we win: the username we pass will not be modified in any way.

Here are a few values not in the range [0,7] and how the username “billgates” gets modified:

  • -3 -> “billgatesTCP”
  • -1 -> “billgatesUser Defined Service”
  • 1 -> “billgates@orange
  • 9 -> “billgatesWEP”
  • 18 -> The router crashes and reboots 😀 (probably a Segmentation fault)
  • 20 -> “billgates” Bam! Empty string!

And that’s the reason why, in the step-by-step guide, we give 20 as parameter to the ISP_Username_Domain variable.

If the parameter 20 does not work for you (this may happen if your firmware version differ), you can check yourself what’s the correct parameter with this small script:

#!/bin/bash
IP=192.168.2.1

for (( n=-5 ; n<40 ; n++)) do
  echo "TESTING PARAMETER: $n"
  wget "http://"$IP"/cgi-bin/qs2.exe" --post-data="ATM_Protocol=4&qISPType=37&ISP_ConnType=0&VC_VPI=8&VC_VCI=35&VC_AAL5=1&ISP_Username=billgates&ISP_Username_Domain=$n&ISP_Password=aaa&ISP_Password_Conf=aaa" -q -O /dev/null
  wget "http://"$IP"/setupq6_main.stm" -O /dev/stdout -q | grep billgates
done

An see if, for some value of n, you get the original username “billgates”. Still, you have to be logged in the web gui from the same machine where you run the script. Ah, and you want to avoid n=18 😉

For any question, please leave a comment.

June 19, 2013


Calendar

December 2017
M T W T F S S
« Jun    
 123
45678910
11121314151617
18192021222324
25262728293031

Archives

Categories